SRX3600 Packet header

How should i see packet headers of an ip address's traffic , and then block matching headers ?
FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You need the packet capture (and you can further even create pcap after the dump capture set for offline archive analysis or related activities) @ http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563
But be wary not to run it on long term as it is supposed for debugging or short period, else the performance may be impacted due to storage and high CPU/mem resource during such processing ....

However to the depth of filter based on IP hdr filed may not be as granular as you see this example where the sec policy include to ip address and appl protocol..likely have to explore other alternate devices etc (like web appl fw for http filter...) @ http://www.mustbegeek.com/configure-firewall-rule-in-juniper-srx/
0
Duncan RoeSoftware DeveloperCommented:
Is this Linux or other? If Linux, you can write iptables rules to match on arbitrary bytes in a header
0
FireBallITAuthor Commented:
Linux but srx can not handle small packages while there is no rule it is locking
0
Duncan RoeSoftware DeveloperCommented:
If you can make a tcpdump expression to view only the problem packets then you can make a rule to reject them:
Use nfbpf_compile to convert the tcpdump expression to the format expected by the iptables bpf extension
Add a bpf rule to accept or reject as required

Enter man iptables-extensions to see an example
0
btanExec ConsultantCommented:
capture the dump will be of the most effective to see the actual pachet hdr
Procedure for obtaining the captured packets:

When the configuration is complete, start the datapath-debug utility in the device. Capture does not start by itself; it is necessary to manually start it.

To start the debug:

user@host> request security datapath-debug capture start
To stop the debug:

user@host> request security datapath-debug capture stop
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563

Note that tcpdump does not show transit traffic. To troubleshoot transit traffic you can use either flow traceoptions or datapath debugs (only for High end SRX). See this wrt to "Trace output - example" and "Datapath-debug – Trace reorder example" http://forums.juniper.net/t5/SRX-Services-Gateway/Help-for-SRX-quot-datapath-debug-quot/m-p/101346#M12486
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.